Skillv1.0.0

ClawScan security

OpenClaw Upgrade Fix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 26, 2026, 6:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions match an OpenClaw upgrade/repair tool, but it automatically elevates agent/tool permissions (sets tools.profile='full'), manipulates sensitive local config/backups (including auth-profiles.json), and runs a network install (npm i -g) — behaviors that are coherent for an upgrade tool but pose security-sensitive changes that should be reviewed before use.
Guidance: This skill appears to be a legitimate OpenClaw upgrade/fix tool, but it performs several sensitive actions automatically. Before installing or running it: 1) Inspect ~/.openclaw/openclaw.json and auth-profiles.json to understand what will be changed and what secrets may be backed up. 2) Review and, if necessary, remove or modify the code that sets tools.profile='full' — granting 'full' tooling permissions can enable remote code execution or broader agent capabilities. 3) Verify that backing up auth-profiles.json to ~/.openclaw/backups is acceptable (consider encrypting or restricting backup permissions). 4) Confirm you trust the npm package origin before running 'npm i -g openclaw@latest' (perform offline review or pin a known good version). 5) Run the scripts first in a staging/test environment and review logs before applying to production. 6) Note the SKILL.md references smart-backup.sh/openclaw-recovery which are not included — ensure your backup automation is present. If you are uncomfortable with automatic permission elevation or backing up sensitive auth files, do not run these scripts until they are audited/modified.

Review Dimensions

Purpose & Capability: okThe name/description claim an upgrade-and-fix utility for OpenClaw 2026.4.x; the included scripts back up ~/.openclaw files, run an npm upgrade, restart the Gateway, clean plugin dirs, and validate/repair config — all consistent with that purpose. The SKILL.md references related skills/scripts not present in this package (e.g., smart-backup.sh/openclaw-recovery), which is a minor inconsistency but not critical.
Instruction Scope: noteRuntime instructions and the three scripts operate on the user's home OpenClaw data (~/.openclaw), read/write JSON configs, restart services, and delete plugin directories. These actions are within the upgrade/repair scope, but the scripts also unconditionally set 'tools.profile' to 'full' and copy auth-profiles.json to backups. The SKILL.md and scripts assume control over agent permissions and sensitive files — this is powerful and requires explicit user review before execution.
Install Mechanism: noteThere is no install spec in the registry, but the upgrade script performs a runtime network install via 'npm i -g openclaw@latest'. Using npm to fetch the updated product is expected for an upgrade script, however it downloads and executes code from the public npm registry at runtime, which is a non-trivial security action and should be performed only when the package origin and version are trusted.
Credentials: concernThe skill declares no environment variables, but it reads and writes sensitive local config files (openclaw.json, auth-profiles.json, various workspace files). Backing up auth-profiles.json may copy authentication material to backups; the script does not encrypt or otherwise protect these backups. Most notably, the scripts force tools.profile='full' — an elevation that broadens allowed tool capabilities (exec/gateway/browser/etc.). That change is disproportionate unless the user explicitly wants to grant full tooling privileges.
Persistence & Privilege: concernThe skill does not set always:true and does not modify other skills, but it persistently modifies the OpenClaw configuration to set tools.profile='full', which effectively grants broader privileges to agents/tools going forward. This permanent configuration change is a high-impact side effect and should be explicitly acknowledged and approved by the administrator before running.